 secondary authentication of user equipment
专利摘要:
a user device (18) is configured to receive an extensible authentication protocol, eap, request (28) from a session management function, smf, (14) that serves as an eap authenticator for secondary device authentication user (18). secondary authentication is the authentication of the user equipment (18) in addition to the primary authentication of the user equipment (18). the user equipment (18) is also configured to, responsive to the eap request (28), transmit an eap response (30) to the smf (14). 公开号:BR112019014670A2 申请号:R112019014670 申请日:2017-12-22 公开日:2020-05-26 发明作者:Castellanos Zamora David;Ben Henda Noamen;Torvinen Vesa 申请人:Ericsson Telefon Ab L M; IPC主号:
专利说明:
SECONDARY AUTHENTICATION OF USER EQUIPMENT RELATED APPLICATIONS [001] This application claims priority for US Provisional Patent Application with Serial Number 62 / 451,645 filed on January 27, 2017, the entire contents of which are incorporated by reference. TECHNICAL FIELD [002] The present application generally relates to a wireless communication network, and specifically refers to the secondary authentication of user equipment configured for use on a wireless communication network. FUNDAMENTALS [003] A wireless communication network conventionally authenticates user equipment based on credentials that are pre-provisioned by the network operator and that are securely stored with the user equipment. Support for alternative ways of authenticating user equipment would allow the wireless communication network to in turn support a variety of possible use cases. For example, this would allow factory owners or companies to take advantage of their own identity and credential management systems for authentication and access to network security. [004] Supporting alternative authentication methods is technically challenging, despite. Many authentication methods have strict recommendations and requirements on the transport network. In addition, relying on Internet protocol (IP) connectivity to support alternative authentication methods is inflexible and impairs the separation between the control plane and the user plane. SUMMARY Petition 870190067273, of 16/07/2019, p. 178/239 2/34 [005] One or more modalities here exploit an extensible authentication protocol (EAP) between user equipment and a control plan function (for example, a session management function, SMF), to provide user authentication. user equipment. Such authentication can be for example the secondary authentication that is performed in addition (for example, after) primary authentication of the user equipment. Regardless, exploring EAP in this way can be advantageous as it supports different types of authentication methods, does not depend on IP connectivity or a specific type of access network, and / or is based on a control plan in order to maintain separation between the control plane and the user plane. [006] More particularly, the modalities included here include a method for secondary authentication of user equipment. The method may comprise receiving, by the user equipment, an extensible authentication protocol (EAP) request from a session management function (SMF) that serves as an EAP authenticator for secondary authentication of the user equipment, where secondary authentication is authentication of user equipment in addition to primary authentication of user equipment. The method can also comprise, responsive to the EAP request, transmit an EAP response from the user equipment to the SMF. [007] The modalities here also include a method for secondary authentication of user equipment. The method may comprise transmitting an extensible authentication protocol (EAP) request from a session management function (SMF) to user equipment, where SMF serves as an EAP authenticator for secondary authentication of the user equipment, in that secondary authentication is the authentication of the Petition 870190067273, of 16/07/2019, p. 179/239 3/34 user equipment in addition to the primary authentication of the user equipment. The method can also comprise, responsive to the EAP request, receiving an EAP response in the SMF from the user equipment. [008] In some embodiments, SMF also serves as an EAP server that performs an EAP authentication method for secondary authentication of user equipment. In other embodiments, the SMF is configured to route the EAP request and EAP response between the user equipment and an EAP server that performs an EAP authentication method for the EAP authenticator. [009] Still other modalities here include a method for secondary authentication of user equipment. The method may include transmitting an extensible authentication protocol (EAP) request from an EAP server to user equipment via a session management (SMF) function, where the SMF serves as an EAP authenticator for pass to secondary authentication of user equipment, where secondary authentication is authentication of user equipment in addition to primary authentication of user equipment and where the EAP server is configured to perform an EAP authentication method for the autentic authenticator . The method may also comprise, responsive to the EAP request, receiving an EAP response from the user equipment on the EAP server via SMF. [0010] In some embodiments, the user equipment and the SMF are configured for use on a wireless communication network, where the EAP server is on a data network with which the user equipment requests a plan session user, where the secondary authentication of the user equipment is authentication of the user equipment to establish the user plan session, and where the secondary authentication is Petition 870190067273, of 16/07/2019, p. 180/239 4/34 delegated by the wireless communication network to the data network. [0011] In some modalities, the EAP request and the EAP response are transmitted between the SMF and the EAP server through a user plan function selected by the SMF. In one embodiment, for example, the user plan function serves as a proxy for the EAP server. In another embodiment, the user plan function serves as a router through which the EAP request and EAP response are transmitted transparently to the user plan function. [0012] In any of these modalities, the EAP request and the EAP response can be encapsulated within the respective non-access layer protocol (NAS) messages between the SMF and the UE. [0013] In some modalities, transmission and reception are performed after primary authentication of the user equipment by a security anchor function in a core network. [0014] In some embodiments, a core network comprises multiple different network slices respectively dedicated to different services, in which the secondary authentication of the user equipment comprises the specific authentication of the user equipment slice to access a specific network slice of the network core. [0015] In some modalities, the method further comprises, based on the successful secondary authentication of the user equipment, obtaining a security key shared between the user equipment and the SMF. [0016] In some modalities, a session establishment request transmitted from the user's equipment triggers the secondary authentication of the user's equipment. In such an embodiment, the session establishment request includes a secondary identity of the user equipment used for secondary authentication. Alternatively or additionally, Petition 870190067273, of 16/07/2019, p. 181/239 5/34 a session establishment response transmitted to the user equipment includes an EAP success message indicating secondary authentication success or an EAP failure message indicating secondary authentication failure. [0017] In some modalities, the method also comprises connecting the secondary authentication of the user equipment to a channel through which the secondary authentication is performed. [0018] In some modalities, the method also comprises deriving, based on the successful secondary authentication of the user equipment, a security key shared between the user equipment and the SMF, in which said derivation comprises deriving the security key as a function of connection information associated with a channel on which secondary authentication is performed. In such an embodiment, said connection information comprises one or more of: information identifying a type of access network through which the user equipment accesses a wireless communication network; information identifying a type of a wireless network core network; information identifying a core network slice to which the user's equipment is requesting access; and information identifying a type of core network slice to which the user equipment is requesting access. [0019] In some modalities, SMF is included in a 5G network. [0020] The modalities also include devices, computer programs, and corresponding carriers. [0021] Some modalities here can therefore use EAP (rfc3748) for authentication between a user equipment (UE) and a potentially external authentication, authorization, and accounting (AAA) server where SMF, a session management function at the core 5G, endorses the role Petition 870190067273, of 16/07/2019, p. 182/239 6/34 of the EAP authenticator. EAP payloads can be carried by the non-access layer protocol (NAS) between the UE and the SMF. The NAS protocol is the highest layer of the control plan. The NAS protocol can be divided between NAS Mobility Management (NAS-MM), and NAS Session Management (NAS-SM), and NAS-SM messages are carried by the NAS-MM in a transparent container. SMF interacts with a backend AAA server possibly located in an external domain. EAP packages can be transported via AAA between the SMF and this external server in direct communication as for the Protocol Configuration Options (PCO) option or alternatively transparently over the user plan (UPF) function. Another possibility would be that the EAP server is not used, and the SMF (ie the EAP authenticator) runs the EAP method. [0022] Some modalities therefore use EAP which provides support for many authentication methods such as Transport Layer Security (EAP-TLS), EAP Authentication and Key Agreement (EAP-AKA), EAP Tunneled TLS (EAP- TTLS) and AP Protected EAP (EAP-PEAP). One or more modalities are based on the encapsulation of EAP messages in the NAS protocol and therefore agnostic for the type of access network (AN). Some modalities are based on the control plan and therefore agnostic to the type of PDU session, ie Internet Protocol (IP), non-IP etc. Using EAP, some modalities support different types of credentials and authentication methods. The EAP exchange would benefit from the protection of the interfaces over the air provided by the NAS protocol. In addition, the exchange of EAP can result in the establishment of security keys to be used, for example, in protecting the user plan towards the established data network. BRIEF DESCRIPTION OF THE DRAWINGS [0023] Figure 1 is a block diagram of a communication network Petition 870190067273, of 16/07/2019, p. 183/239 7/34 wireless according to one or more modes. [0024] Figure 2 is a block diagram of a 5G network according to some modalities. [0025] Figure 3 is a diagram of the call flow for secondary authentication of a UE according to some modalities. [0026] Figure 4 is a block diagram of a protocol stack for exchanging EAP messages between a UE and AAA server according to some modalities. [0027] Figure 5 is a block diagram of a protocol stack to exchange EAP messages between an SMF and AAA server according to some modalities. [0028] Figure 6 is a logic flow diagram of a method performed by user equipment in accordance with some modalities. [0029] Figure 7 is a logic flow diagram of a method performed by a control plan function (for example, SMF) according to some modalities. [0030] Figure 8 is a logic flow diagram of a method performed by a server) of EAP according to some modalities. [0031] Figure 9A is a block diagram of user equipment according to some modalities. [0032] Figure 9B is a block diagram of user equipment according to other modalities. [0033] Figure 10A is a block diagram of the control plane equipment according to some modalities. [0034] Figure 10B is a block diagram of the control plane equipment according to other modalities. [0035] Figure 11A is a block diagram of an EAP server of Petition 870190067273, of 16/07/2019, p. 184/239 8/34 according to some modalities. [0036] Figure 11B is a block diagram of an EAP server according to other modalities. DETAILED DESCRIPTION [0037] Figure 1 illustrates a wireless communication network (for example, a 5G network) according to one or more modalities. The network includes an access network 12 and a core network. The core network includes one or more control plan functions, one of which is shown as a control plan function 14. The core network may include, for example, a control plan function in the form of a session management function (SMF) responsible for session management and a separate control plan function in the form of an access and mobility management function (AMF) responsible for mobility management. In any case, the core network also includes a user plan function 16. [0038] As shown in Figure 1, user equipment 18 can request a session 20 (for example, a user plan session or a packet data unit, PDU, session) with a data network 22 (for example , which provides network operator services, Internet access, or Third Party Services). The data network 22 can be internal or external to the wireless communication network. Regardless, user plan function 16 is configured to route user plan traffic to this session, while control plan function (s) are configured to control that session (for example, via control for that session). [0039] One or more modalities refer to the authentication of user equipment 18, for example, authentication of user equipment 18 to establish session 20 with data network 22. Authentication can be of a secondary nature, in the sense of that authentication takes place Petition 870190067273, of 16/07/2019, p. 185/239 $ / 34 in addition to another so-called primary authentication of user equipment (for example, which can use pre-provisioned credentials and / or be performed by a security anchor function). In some embodiments, for example, user equipment 12 requesting session 20 with data network 22 triggers such secondary authentication, for example, after primary authentication. This secondary authentication can even be performed by, controlled by, and / or delegated to this data network 16. [0040] One or more modalities here exploit an extensible authentication protocol (EAP) between user equipment 18 and a control plan function 14 (for example, a session management function, SMF) in the core network, in order to to provide secondary authentication of user equipment 18. The control plan function 14 in this regard can serve as an EAP authenticator 24 for secondary authentication. User equipment 18 can in turn serve as a pair for EAP authentication. [0041] In some embodiments, the control plan function 14 also serves as an EAP server that actually performs an EAP authentication method for secondary authentication. In other embodiments, an EAP server 26 separate from the control plan function 14 (as an EAP authenticator) performs an EAP authentication method for the ador authenticator. The EAP server 26 can for example be located on the data network 22 as shown in Figure 1. An EAP server 26 separate from the EAP authenticator can be referred to as a back-end authentication server or simply an authentication server. Separating the EAP server from the control plan function 14 means that, instead of requiring the control plan function 14 to support each authentication method provided by user equipment 18, for example, EAP flexibly allows the Petition 870190067273, of 16/07/2019, p. 186/239 10/34 control plan function 14 acts as a gateway to some or all of the authentication methods that are supported by the EAP server 26. This in turn allows secondary authentication to be delegated to data network 22 in some modalities. Accordingly, user equipment 18 may perform an authentication method or procedure with the EAP server 26 via, or as established by, the control plan function 14. This EAP-based approach may prove to be advantageous in so far as which supports different types of authentication methods, does not depend on IP connectivity or a specific type of access network, and / or is based on a control plan to maintain the separation between the control plan and the user plan. [0042] With the control plan function 14 serving as EAP authenticator 24 for secondary authentication of user equipment 18, user equipment 18 and control plan function 14 can engage in an EAP authentication exchange. As shown in Figure 1, this exchange can involve the control plan function 14 by transmitting an EAP request 28 to user equipment 18, and user equipment 18 in turn receiving EAP request 28 from the control plan function. control 14. This EAP request 28 can request any of several different possible types of information requested from user equipment 18 (for example, an identity, an MD5 challenge, etc.). The type of information requested can be indicated by a type field in request 28. In any case, the EAP request 28 can request information as part of the negotiation of which authentication method should be used for secondary authentication of user equipment 18. [0043] Responsive to EAP request 28, user equipment 18 (as an EAP pair) can transmit an EAP response 30 to the plan function Petition 870190067273, of 16/07/2019, p. 187/239 11/34 of control 14 (as EAP authenticator 24). The EAP response 30 may for example include the type of information indicated by the type field in the EAP request 28. [0044] One or more additional sequences of requests and responses may continue in a similar manner. This can continue until the control plan function 14 since the EAP authenticator cannot authenticate user equipment 18 (for example, due to an unacceptable EAP response to one or more EAP requests), or even the control plan 14 as EAP authenticator determines that successful authentication has occurred. [0045] In some embodiments, for example, the transmission of user equipment from a request to establish session 20 triggers secondary authentication of user equipment 18. In this case, a session establishment response can in turn be transmitted to the user equipment and include either an EAP success message indicating secondary authentication success or an EAP failure message indicating secondary authentication failure. [0046] In these and other modalities, the EAP request 28 and the EAP response 30 can be encapsulated within the respective non-access layer protocol (NAS) messages. NAS in this regard may be the highest stratum of the control plan. Thus encapsulated, the EAP request 28 and the EAP response 30 can be communicated between user equipment 18 and the control plan function 14 regardless of the type of access network 12. [0047] In modalities involving EAP server 26 (for example, in data network 22 as shown in Figure 1) for secondary authentication, the control plan function 14 can forward the EAP request 28 and the Petition 870190067273, of 16/07/2019, p. 188/239 12/34 ΕΑΡ 30 response between ο user equipment 18 and ΕΑΡ 26 server. The control plan function 14 can for example inspect EAP messages transmitted or received in order to determine whether or where to forward those messages. In any case, the EAP server 26 can transmit the EAP request 28 to the user equipment 18 via the control plan function 14 as an EAP authenticator, and, responsive to the EAP request, can receive via the plan function control 14 the EAP response 30 from user equipment 18. [0048] In some embodiments, the EAP request 28 and the EAP response 30 are transmitted between the control plan function 14 and the EAP server 26 through the user plan function 16, for example, which can be selected by the control plan function 14. In some embodiments, the user plan function 16 can serve as a proxy for the EAP server 26. In other embodiments, the user plan function 16 serves as a router through which the EAP request 28 and EAP response 30 are transmitted transparently to the user plan role 16. [0049] These and other modalities may therefore allow the wireless communication network to delegate to the data network 22 the secondary authentication of the user equipment 18 (for example, to authenticate the establishment of the user equipment of session 20 with the data network. 22). Especially where the data network 22 implements the EAP server 26 which actually performs the authentication method used for such authentication, this may mean that the wireless communication network is flexible and generally supports different authentication methods. [0050] Alternatively or additionally, the core network in some modalities may comprise multiple different network slices respectively dedicated to different services. In this case, authentication Petition 870190067273, of 16/07/2019, p. 189/239 Secondary 13/34 of user equipment 18 may comprise a slice-specific authentication of user equipment 18 to access a specific network slice of the core network. In a similar way, then, the wireless communication network can generically and flexibly support different authentication methods (for example, which may be different for different network slices). [0051] One or more modalities will now be described in the context of 5G (known as, Next Generation, NG) as being developed by 3GPP. 5G aims (among other things) to separate the control plan from the user plan. The control plan is responsible for the control and transmission of signaling information, while the user plan is responsible for routing user traffic. Separating the control plane involves extracting the control plane functions from a gateway to make a simpler, user plane node. A gateway is thus divided into components of S / PGW-U and S / PGWC that can scale independently, where SGW-U is the component of a server gateway (SGW) that handles user plane functions, PGW-U is the component of a packet gateway (PGW) that handles the user plane functions, SGW-C is the component of an SGW that handles the control plane functions, and PGW-C is the component of a PGW that handles the functions control plan. In this way, the control plan, and all associated complex interactions, can be centralized, while the user plan is distributed over the IP service fabric and scaled as required by the traffic load. [0052] In addition, 5G allows virtualization of network functions and software-defined networking. The architecture of the 5G system should leverage the service-based interactions between the Control Plan (CP) network functions when identified. Petition 870190067273, of 16/07/2019, p. 190/239 14/34 [0053] In addition, 5G aims to modularize the function design, for example, to allow flexible and efficient network slicing. In addition, whenever applicable, the procedures (that is, the set of interactions between network functions) are defined as services, so that their reuse is possible. [0054] Figure 2 in this regard describes a baseline architecture for the NG. The architecture includes several network functions. Control plan functions include a session management function (SMF), an access and mobility management function (AMF), a policy control function (PCF), an authentication server function (AUSF), and unified data management (UDM). [0055] The SMF may include some or all of the following features. Some or all of the SMF functions can be supported in a single instance of an SMF. SMF functionality includes session management (eg session establishment, modification and release, including maintaining tunnel between UPF and access network node), allocation and management of UE IP addresses (including optional authorization), selection and control of the role UP, traffic routing configuration in the UPF to route traffic to the appropriate destination, termination of interfaces towards policy control functions, control of part of the policy application and quality of service (QoS), legal interception (for events SM and interface for legal interception system), termination of SM parts of NAS messages, downlink data notification, initiation of AN specific SM information, sent via AMF over N2 to AN, determination of continuity mode of service and session (SSC) of a session (per IP type PDU session), roaming functionality, application handling local local to apply the QoS service level agreements (SLA) (visited public land mobile network, VPLMN), data collection charging and billing interface (VPLMN), Petition 870190067273, of 16/07/2019, p. 191/239 15/34 legal interception (in VPLMN for SM events and the interface for LI system), and support for interaction with external DN to carry authorization / authentication signaling of PDU session by external DN. [0056] On the other hand, the Access and Mobility Management (AMF) function may include some or all of the following features. Some or all of the AMF functions can be supported in a single instance of an AMF: radio access network termination (RAN) CP interface (N2), NAS termination (Nl), NAS encryption and integrity protection, management registration, connection management, accessibility management, mobility management, legal interception (for MFA events and LI System interface), transparent proxy for SM message routing, access authentication, access authorization, anchor function security (SEA or SEAF), and Security Context Management (SCM) that receives a key from SEA that it uses to derive specific keys from the access network. With particular attention to SEA, it interacts with the authentication server (AUSF) function and the UE, and receives the intermediate key that was established as a result of the UE authentication process. In the case of USIM-based authentication, AMF retrieves security material from AUSF. [0057] A user plan function (UPF) may include some or all of the following features. Some or all of the UPF functions can be supported in a single UPF instance: an anchor point for mobility of inter- / inter-radio access technology (RAT) (when applicable), external PDU session point for interconnection with Data network, packet routing and forwarding, packet inspection and user plan part of the policy rule application, legal interception (UP collection), traffic usage reports, uplink classifier to support flow routing traffic to a data network, point of Petition 870190067273, of 16/07/2019, p. 192/239 16/34 branching to support multi-base PDU session, QoS handling for user plan, eg packet filtering, switching, uplink / downlink rate application, uplink traffic verification (SDF for QoS flow mapping), transport level packet marking on the uplink and downlink, and downlink packet buffering and downlink data notification trigger. [0058] Any of these network functions can be applied either as a network element on dedicated hardware, or as an instance of software running on dedicated hardware, or as a virtualized function instantiated on an appropriate platform, for example on a cloud infrastructure. [0059] Among the new features of NG Systems is the concept of Network Slicing. A Network Slice (NS) is basically an instance of a core network dedicated to providing a specific service. This will allow operators to handle this wide variety of new use cases, each with different service requirements in terms of Quality of Service (QoS). For example, an operator could be running a slice for the usual mobile broadband services (MBB), in parallel with a mission critical slice for public security services (push to talk about mission critical, MCPTT) requiring very low latency and in parallel with a slice of internet of things (loT) for electricity meters with very low bandwidth. [0060] To support different types of services, operators will use several core networks implemented as network slices in a common IP service infrastructure. The idea, shown in Figure 2, is to create instances of virtual core networks (or slices) dedicated to different services. Each slice can be Petition 870190067273, of 16/07/2019, p. 193/239 17/34 optimized for the traffic profile and the commercial context of the associated service eg loT, public security, mobile virtual network operator (MVNO), connected car, voice over WiFi or corporate services. The network slices can be two-dimensional in the sense that they can be service and customer specific. [0061] 5G is expected to support many new scenarios and use cases and be a facilitator for loT. NG systems are expected to provide connectivity to a wide range of new devices such as sensors, smart wearables, vehicles, machines, etc. Flexibility would then be a key property of NG Systems. This is reflected in the security requirement for network access that requires the support of alternative authentication methods and different types of credentials than the usual AKA credentials pre-provisioned by the operator and securely stored on the universal integrated circuit card (UICC). This would allow factory owners or companies to take advantage of their own identity and credential management systems for authentication and access to network security. [0062] The 5G can decouple the authentication and authorization procedures to access different network slices (NS). One possible scenario is as follows. For an NG-UE to access a particular NS, the operator can first perform primary (usual) authentication for initial network access towards AUSF / UDM via AMF, followed by a specific NS secondary authentication possibly under the control of a Third. This is assuming trust between the third party service provider and the mobile network operator (MNO), which for example is offering access and transport services to that third party in a dedicated network slice instance. [0063] The so-called Encrypted Option Request and the use of an information element called Protocol Configuration Options (PCO) can Petition 870190067273, of 16/07/2019, p. 194/239 18/34 be relevant to the scenario described above. The PCO can transfer password authentication protocol (PAP) / challenge handshake authentication protocol (CHAP) user names and passwords to the packet data network gateway (PDN-GW) that executes them through AAA server (possibly located in an external domain) for access authorization. Since this information is sensitive and needs to be protected, if the UE intends to send PCO that requires encryption (for example, PAP / CHAP usernames and passwords), the UE should set the Encrypted Options Transfer Flag in the message Attachment Request and send the PCO only after the NAS's authentication and security configuration is complete. [0064] Among the limitations of this mechanism for use or extension in NG systems are the following. [0065] First, the mechanism is very limited in terms of possible authentication methods. Currently, there is only support for PAP and CHAP. But as PAP is obsolete from the point of view of security, we only have CHAP. [0066] Second, to support other methods and use the PCO information element to carry authentication information, it would be necessary to specify special messages between MME and S-GW and S-GW and PDN-GW dedicated to that purpose. This is for dealing with authentication methods that require more than just a round trip. [0067] Furthermore, it is difficult to see how this mechanism would fit into the Next Generation architecture that will be broken down later. In fact, taking into account the new architectural features (TR 23.799), we can say that there will probably be more leaps in the way between the UE and the PDN-GW, for example in relation to the ongoing work on the division of the MME into an AM and an SM function (TR 23,799) and the control plane and user separation (CUPS) works for the control plane division and Petition 870190067273, of 16/07/2019, p. 195/239 19/34 user (TR 23,714). This implies more overload and signaling at the CN. [0068] Finally, this mechanism is an alternative solution because there is no direct protocol between the UE and the PDN-GW. Making it generic enough to support other authentication methods would be technically challenging, especially since many methods have strict transport requirements and recommendations. [0069] One or more modalities address some of these and / or other challenges for secondary authentication through the use of EAP. EAP is specified in IETF RFC 3748. EAP is an authentication framework that supports several authentication methods. [0070] One of the advantages of the EAP architecture is its flexibility. EAP is used to select a specific authentication mechanism, typically after the authenticator asks for more information to determine the specific authentication method to be used. Instead of requiring the authenticator to be updated to support each new authentication method, EAP allows the use of a back-end authentication server, which can implement some or all of the authentication methods, with the authenticator acting as a gateway for some or all methods and pairs. The EAP protocol can support several authentication mechanisms without having to pre-negotiate a particular one. [0071] In EAP nomenclature, an EAP authenticator is the end of the link initiating EAP authentication. A pair is the end of the link that responds to the authenticator. A back-end authentication server is an entity that provides an authentication service for an authenticator. When used, this server typically performs EAP methods for the authenticator. An EAP server is the entity that terminates the EAP authentication method with the peer. In the case that no backend authentication server is used, the EAP server Petition 870190067273, of 16/07/2019, p. 196/239 20/34 is part of the authenticator. In the case where the authenticator operates in pass-through mode, the EAP server is located on the back-end authentication server. Successful authentication is an exchange of EAP messages, as a result of which authentication decides to allow peer access, and the peer decides to use that access. The authenticator's decision typically involves both aspects of authentication and authorization; the peer can successfully authenticate the authenticator, but access can be denied by the authenticator due to policy recommendations. [0072] The exchange of EAP authentication proceeds as follows. The authenticator sends a request to authenticate the peer. The request has a Type field to indicate what is being requested. Examples of Request Types include Identity, MD5 Challenge, etc. Typically, the authenticator will send an initial Identity Request; however, an initial identity request is not required and can be ignored. [0073] The pair sends a reply packet in reply to a valid Request. As with the Request package, the Response package contains a Type field, which corresponds to the Request Type field. [0074] The authenticator sends an additional request packet, and the pair responds with a response. [0075] The sequence of Requests and Responses continues as long as necessary. The conversation continues until the authenticator cannot authenticate the pair (Responses unacceptable to one or more Requests), in which case the implementation of the authenticator MUST transmit an EAP Failure (Code 4). Alternatively, the authentication conversation can continue until the authenticator determines that a successful authentication has occurred, in which case the authenticator MUST transmit an EAP success (code 3). [0076] When operating as a pass-through authenticator, an authenticator Petition 870190067273, of 16/07/2019, p. 197/239 21/34 performs checks in the Code, Identifier, and Length fields. Forwards EAP packets received from the peer and destined for its authenticator layer to the back-end authentication server ·, packets received from the back-end authentication server destined for the peer are forwarded to it. [0077] Figure 3 illustrates the message flow involving primary and secondary authentication, using EAP, according to some modalities. [0078] Step 1: The UE sends a registration request. [0079] Step 2: The primary authentication procedure is performed between the UE and SEAF. After successful authentication, the primary identity (for example, international mobile subscriber identifier, IMSI) is verified and the next steps are performed. [0080] Step 3: NAS security is configured, that is, CP security. From now on, all NAS messages are confidentially and completely and protected. [0081] Step 4: The processing of the request to establish a PDU session is done in two steps. In step 4a, the UE sends the PDU session establishment request to AMF. This message contains the primary identity and can optionally carry the secondary identity used later in secondary authentication of ΕΑΡ. The request has integrity and optionally confidentiality protected between the UE and the AMF. The AMF verifies that the message originates from the UE that was authenticated in step 2, and forwards it including the verified identity information. In step 4b, the SMF receives a request to establish an AMF PDU session. If SMF has not performed secondary authentication for the primary identity, and has a local policy to authenticate the UEs, SMF should initiate the secondary authentication procedure. SMF also Petition 870190067273, of 16/07/2019, p. 198/239 22/34 maintains a re-authentication policy, and if the primary identity received was authenticated by SMF a long time ago, it may be necessary to initiate a new re-authentication. [0082] Step 5: The secondary authentication procedure is carried out between the UE and the external AAA through SMF. In this case, then, the SMF serves as the EAP authenticator and the external AAA serves as the EAP server. EAP messages are carried over the NAS-SM protocol, transparently to the AMF. This may require specifying new NAS-SM messages that may contain SM-pacotes packets, for example SM authentication request and SM authentication response. If the request to establish a PDU session carried the secondary identity of the UE, SMF can skip the request for EAP Identity, and initiate EAP authentication directly with the AAA server. Exchanging EAP over the air interface benefits from NAS layer protection. [0083] Secondary EAP authentication may optionally need to be linked to the channel on which it was performed, or otherwise there is a risk that a Man-in-the-middle will tunnel EAP packets between channels (for example if the same EAP method and credentials are used across channels). The channel link can be made by taking information related to the channel (for example the primary identity used in step 2 assuming it can include information related to the type of access or type of core network or information related to the network slice). Channel-related information is either used directly in cryptographic operations within secondary EAP authentication, or later when using the master key (ie master session key, MSK, or extended MSK, EMSK) created from secondary authentication for some purposes. The channel information can be one of the following: the type of access network (for example 5G radio, local access network Petition 870190067273, of 16/07/2019, p. 199/239 23/34 wireless WLAN), the type of network core (for example 5G core network) or the type of network slice or identifier (for example, NSAI, SM-NSAI Network Slice Selection Assistance Information or Network Name) DNN Data Network). [0084] In particular, most EAP authentication methods create a master key (MSK and EMSK) as a result of authentication. This key is used to create session keys for example integrity protection key or encryption key. The channel connection can be made in two places: a) within the EAP method when creating MSK / EMSK, in which case the connection parameters are input values for the key derivation: MSK = KDF (connection parameters, others parameters) and / or EMSK = KDF (connection parameters, other parameters); or b) after the MSK / EMSK was created when creating some other key (master): Key = KDF (connection parameters, MSK) and / or Key = KDF (connection parameters, EMSK). [0085] Step 6: As part of the AAA exchange, the external AAA server can provide SMF with a reauthentication policy. This can be, for example, the maximum time after which new authentication is required. [0086] After successful authentication, the AAA exchange may also include the exchange of service / session authorization information for SMF. In this case, AAA can provide the SMF with a service authorization profile (or service authorization profile identifier / to / cen) from which SMF will be able to determine whether the requested service is authorized for the user, and if authorized in what way the service should be offered in terms of for example Quality of Service, Quality of experience, billing, etc. [0087] Step 7: The SMF optionally makes the link between the primary identity and the secondary identity, and stores it locally. When the SMF sees a new request from the AMF that carries the primary identity, it can trust that the messages originate from the same UE that has the Petition 870190067273, of 16/07/2019, p. 200/239 24/34 secondary identity. [0088] Step 8: After successful authentication and authorization, SMF selects a user plan function, UPF, for the user plan related to the requested service. [0089] Step 9: The SMF sends back a PDU session establishment response depending on the result of secondary authentication. This message can carry the final EAP message, that is, the establishment of the accepted PDU session can carry EAP Success or the failure to establish PDU session can carry EAP failure. [0090] In step 5, SMF endorses the role of the EAP authenticator and can rely on a backend AAA server in the data network, possibly in another security domain, for example controlled by a third party. It is then left open as the AAA messages are transported between the SMF and the AAA server. There are different possibilities. In a first embodiment, AAA messages are transported through a direct interface between SMF and AAA in a similar way as in the EPC PCO solution. This interface is established based on commercial agreements when AAA is controlled by a third party. Figure 4 shows the protocol architecture to support secondary EAP-based authentication with a direct interface between the SMF and the AAA server (called XX). In the UE for SMF side, it shows a possibility on how EAP messages are carried over the NAS protocol. [0091] In a second mode, AAA messages are transferred transparently over NG4-NG6 interfaces through the UPF. The UPF could endorse the role of an AAA proxy or even simpler, an IP router. In this case, the SMF will perform step 8 before the AAA exchange in step 5 of Figure 3 so it is possible to manipulate the AAA exchange through the UPF Petition 870190067273, of 16/07/2019, p. 201/239 25/34 selected. Figure 5 shows the support of secondary authentication based on EAP, where EAP messages are transported through UPF through the NG4-NG6 interfaces. That is, the NG4-NG6 interfaces are used transparently to carry AAA messages between the SMF and the AAA server. In this specific case (Figure 5), the UPF could act as an IP router so that the AAA exchange between the SMF and the AAA server is transparent to the UPF. [0092] In a third modality, the UPF can actually act as an AAA proxy. [0093] In a fourth modality, the SMF can act as an EAP server, in which case there is no need to interact with an external AAA server. [0094] In a fifth modality, the primary identity and the secondary identity are the same or related to each other for example (a part of) the primary identity is encoded in the secondary identity. The credentials used for authentication can still be different. [0095] Like the PCO-based mechanism, secondary authentication could be used for additional authorization controlled by an external party at the request of the UE for the establishment of specific or additional PDU sessions. Other use cases related to PU protection and slicing are described in the following clauses. [0096] User plan protection: First, if the protection of UP traffic is terminated in a UPF, the following assumption is made. User plan protection between the UE and an UPF is implemented through an additional protocol layer regardless of the protection over the NGU interface between the UE and the access network. [0097] In this case, secondary authentication can be used to establish the necessary keys. In fact, after successful authentication Petition 870190067273, of 16/07/2019, p. 202/239 26/34 successful, the resulting MSK key shared between the SMF (EAP authenticator) and the UE (peer) could be used for this specific purpose. [0098] The mechanisms for the distribution of protection keys, algorithm negotiation and activation of the security mode would be generic and agnostic for the authentication method. All of these operations can be performed in conjunction with the establishment of a PDU session (step 9 in Figure 3). [0099] Network Slicing Support: Secondary authentication could be used for specific Network Slice authorization. In fact, after successful primary authentication through a given AMF, the UE could potentially be provided services across all Network Slices served by that particular AMF. It may be the case that the UE is automatically authorized to access all or some of the slices based on the subscription information. Alternatively, authorization could be applied on a specific slice basis using secondary authentication when creating a PDU session for a specific slice. [00100] For the protection of UP traffic between the UE and a particular slice, the mechanism described in the previous clause could be used. However, the configuration of the slices in the sense of who manages or owns which network function becomes relevant. From the point of view of the trust model, this would require the UPF and SMF to be slice-specific; otherwise, protection would serve no purpose. [00101] In view of the variations and modifications above, Figure 6 illustrates a method for secondary authentication of user equipment 18 configured for use on a wireless communication network, for example, comprising an access network 12 and a network nucleus, according to some modalities. The method is performed by user equipment 18. The method Petition 870190067273, of 16/07/2019, p. 203/239 27/34 may comprise receiving, by user equipment 18, an extensible authentication protocol (EAP) request 28 from a control plan function 14 that is on the core network (for example, an SMF) and that is serving as an EAP authenticator 24 for secondary authentication of user equipment 18 (Block 100). Secondary authentication may be authentication of user equipment 18 in addition to primary authentication of user equipment 18. The method may also comprise, in response to EAP request 28, transmitting an EAP response 30 from user equipment 18 to the control plan function 14 (for example, SMF) (Block 110). [00102] Figure 7 illustrates a corresponding method performed by the control plan function 14 (S.f., SMF). The method may comprise transmitting an extensible authentication protocol (EAP) request 28 from a control plan function 14 (e.g., SMF) to user equipment 18, where the control plan function 14 is in the core network and is serving as an EAP authenticator 24 for secondary authentication of user equipment 18 (Block 200). Again, the secondary authentication can be the authentication of the user equipment 18, in addition to the primary authentication of the user equipment 18. The method can also comprise, responsive to the EAP request 28, receive in the control plan function 14 an EAP response 30 of user equipment 18 (block 210). [00103] In some embodiments, the control plan function 14 is also serving as an EAP server that performs an EAP authentication method for secondary authentication of user equipment 18. Alternatively, the control plan function 14 can serve as a pass-through authenticator that routes the EAP request 28 and EAP response 30 between user equipment 18 and an EAP server 26 (separate Petition 870190067273, of 16/07/2019, p. 204/239 28/34 of the EAP authenticator) that performs an EAP authentication method for the EAP authenticator. [00104] Figure 8 in this regard illustrates a method performed by an EAP server 26 for secondary authentication of user equipment 18. The method may comprise transmitting an extensible authentication protocol (EAP) request 28 from a server. EAP 26 for user equipment 18 via a control plan function 14 (for example, SMF) (Block 300). The control plan function in this regard is in the core network and is serving as a pass-through EAP authenticator for secondary authentication of user equipment 18. Secondary authentication can be authentication of user equipment 18 in addition to primary authentication of user equipment. user 18. The EAP server 26 can be configured to perform an EAP authentication method for the EAP authenticator 24. The method can further comprise, responsive to the EAP request 28, receive at the EAP server 26 via the plan function control 14 an EAP response 30 from user equipment 18 (block 310). [00105] In some embodiments, the EAP server 26 is in a data network 22 with which the user equipment 18 requests a user plan session. Secondary authentication of user equipment 18 can be authentication of user equipment 18 to establish user plan session 20. In some embodiments, secondary authentication is delegated by the wireless communication network to the data network 22. [00106] Note that a network node here is any type of node in AN 14 (for example, a base station) or in the core network. Where the network node is a radio network node in the AN, the node may be able to communicate with another node via radio signals. A wireless device is any type of device Petition 870190067273, of 16/07/2019, p. 205/239 29/34 able to communicate with a radio network node via radio signals. A wireless device can therefore refer to a machine-to-machine (M2M) device, a machine-type communication device (MTC), an NB-loT device, etc. The wireless device can also be a UE, however it should be noted that the UE does not necessarily have a user in the sense of an individual person owning and / or operating the device. A wireless device can also be referred to as a radio device, a radio communication device, a wireless terminal, or simply a terminal - unless the context otherwise indicates, the use of any of these terms must include Device-to-device EU or devices, machine-like devices or devices capable of machine-to-machine communication, sensors equipped with a wireless device, wireless enabled desktop computers, mobile terminals, smartphones, equipped on laptop (LEE), mounted equipment on laptop (LME), USB dongles, wireless client facility equipment (CPE), etc. In the discussion here, the terms machine-to-machine device (M2M), machine-type communication device (MTC), wireless sensor, and sensor can also be used. It should be understood that these devices can be UE, but are generally configured to transmit and / or receive data without direct human interaction. [00107] In an IOT scenario, a wireless communication device as described here can be, or can be comprised of, a machine or device that performs monitoring or measurements, and transmits the results of such monitoring measurements to another device or an network. Particular examples of such machines are energy meters, industrial machinery, or household appliances or personal appliances, for example, refrigerators, televisions, personal wearables such as watches, etc. In others Petition 870190067273, of 16/07/2019, p. 206/239 30/34 scenarios, a wireless communication device as described here can be understood in a vehicle and can perform monitoring and / or communication of the vehicle's operational status or other functions associated with the vehicle. [00108] User equipment 18 here can perform processing here by implementing any means or functional units. In one embodiment, for example, user equipment 18 comprises respective circuits configured to perform the steps shown in Figure 6. The circuits in this regard may comprise circuits dedicated to performing certain functional processing and / or one or more microprocessors in conjunction with memory . In modes that use memory, which can comprise one or more types of memory such as read-only memory (ROM), random access memory, cache memory, flash memory devices, optical storage devices, etc., the memory stores code program that, when executed by one or more microprocessors, carries the techniques described here. That is, in some embodiments the memory of user equipment 18 contains instructions executable by the set of processing circuits whereby user equipment 18 is configured to carry the processing described here. [00109] Figure 9A illustrates additional details of user equipment 18 according to one or more modalities. As shown, user equipment 18 includes processing circuitry 410 and communication circuitry 420 (e.g., one or more radio circuits). The communication circuitry 420 can be configured to transmit through one or more antennas, which can be internal and / or external to the user equipment 18. The processing circuitry 410 is configured to perform the processing described above, Petition 870190067273, of 16/07/2019, p. 207/239 31/34 for example, in Figure 6, such as by executing instructions stored in memory 430. The processing circuitry 410 in this regard may implement certain functional means or units. [00110] Figure 9B in this respect illustrates additional details of user equipment 18 according to one or more other modalities. As shown, user equipment 18 can include a receiving unit or module 440 to receive the EAP request 28 and a transmission unit or module 450 to transmit the EAP response 30. These units or modules can be implemented by the set of processing circuits 410 in Figure 9A. [00111] Similarly, the control plan function 14 (for example, SMF) can be provided or implemented by the control plan equipment in the control plan. Control plan equipment in this regard may include one or more control plan nodes. Multiple distributed control plan nodes can for example host or implement control plan function 14 in a distributed manner. Alternatively, a single control plane node can host or implement the control plan function 14 in a centralized manner. [00112] The control plane equipment in this can perform the processing of the control plane function 14 by implementing any means or functional units. In one embodiment, for example, the control plane equipment comprises respective circuits configured to carry out the steps shown in Figure 7. The circuits in this sense can comprise circuits dedicated to perform a certain functional processing and / or one or more microprocessors in conjunction with memory . In modes that employ memory, which can comprise one or more types of memory as read-only memory Petition 870190067273, of 16/07/2019, p. 208/239 32/34 (ROM), random access memory, cache memory, flash memory devices, optical storage devices, etc., the memory stores program code that, when executed by one or more microprocessors, carries the techniques described here. That is, in some embodiments, the memory of the control plane equipment contains instructions executable by the set of processing circuits so that the control plane equipment is configured to carry the processing described here. [00113] Figure 10A illustrates additional details of the control plane equipment 500 according to one or more modalities. As shown, the control plane equipment 500 includes the processing circuitry 510 and the communication circuitry 520. The communication circuitry 520 can be configured to communicate with user equipment 18, for example, via one or more defined interfaces. The processing circuitry 510 is configured to perform the processing described above, for example, in Figure 7, such as by executing instructions stored in memory 530. The processing circuitry 510 in this regard may implement certain means or functional units. [00114] Figure 10B in this respect illustrates additional details of the control plane equipment 500 according to one or more other modalities. As shown, control plan equipment 500 can include a receiving unit or module 540 to receive the EAP response 30 and a transmission unit or module5 to transmit the EAP request 28. These units or modules can be implemented by the assembly of processing circuits 510 in Figure 10A. [00115] EAP server 26 (also referred to as an authentication server or backend authentication server) here can perform the Petition 870190067273, of 16/07/2019, p. 209/239 33/34 processing by implementing any means or functional units. In one embodiment, for example, the EAP server 26 comprises respective circuits configured to perform the steps shown in Figure 8. The circuits in this regard may comprise circuits dedicated to performing a certain functional processing and / or one or more microprocessors in conjunction with memory . In modes that use memory, which can comprise one or more types of memory such as read-only memory (ROM), random access memory, cache memory, flash memory devices, optical storage devices, etc., the memory stores code program that, when executed by one or more microprocessors, carries the techniques described here. That is, in some embodiments, the memory of the EAP server 26 contains instructions executable by the processing circuitry whereby the authentication server 26 is configured to carry the processing described here. [00116] Figure 11A illustrates additional details of an EAP server 26 according to one or more modalities. As shown, EAP server 26 includes processing circuitry 610 and communication circuitry 620. Communication circuitry 620 may be configured to communicate with user equipment 18 and / or the plan function control unit 14, for example, through one or more defined interfaces. The processing circuitry 610 is configured to perform the processing described above, for example, in Figure 8, such as executing instructions stored in memory 630. The processing circuitry 610 in this regard may implement certain functional means or units. [00117] Figure 11B in this respect illustrates additional details of an EAP server 26 according to one or more other modalities. As Petition 870190067273, of 16/07/2019, p. 210/239 34/34 shown, the ΕΑΡ 26 server can include a receiving unit or module 640 to receive the EAP response 30 and a transmission unit or module 650 to transmit the EAP request 28. These units or modules can be implemented by the processing circuit set 610 in Figure 11A. [00118] Those skilled in the art will also appreciate that the modalities included here include corresponding computer programs. [00119] A computer program comprises instructions that, when executed on at least one processor (for example, from user equipment 18, control plane equipment 500 or EAP server 26), cause the processor to execute a new one processing described above. A computer program in this regard may comprise one or more code modules corresponding to the means or units described above. [00120] Modalities also include a carrier containing such a computer program. This carrier may comprise one of an electronic signal, optical signal, radio signal, or computer-readable storage medium.
权利要求:
Claims (38) [1] 1. Method for secondary authentication of user equipment (18), characterized by the fact that the method comprises: receive (100), by the user equipment (18), an extensible authentication protocol, EAP, request (28) from a session management function, SMF, (14) that serves as an EAP authenticator for secondary authentication user equipment (18), where secondary authentication is authentication of user equipment (18) in addition to primary authentication of user equipment (18); and responsive to the EAP request (28), transmit (110) an EAP response (30) from the user equipment (18) to the SMF (14). [2] 2. Method for secondary authentication of user equipment (18), characterized by the fact that the method comprises: transmit (200) an extensible authentication protocol, EAP, request (28) from a session management function, SMF, (14) to a user device (18), where SMF (14) serves as a EAP authenticator for secondary authentication of user equipment (18), where secondary authentication is authentication of user equipment (18) in addition to primary authentication of user equipment (18); and responsive to the EAP request (28), receiving (210) in the SMF (14) an EAP response (30) from the user equipment (18). [3] 3. Method according to claim 1 or 2, characterized by the fact that SMF (14) also serves as an EAP server that performs an EAP authentication method for secondary authentication of the user equipment (18). [4] 4. Method, according to claim 1 or 2, characterized by the fact that the SMF (14) is configured to forward the EAP request (28) Petition 870190067273, of 16/07/2019, p. 231/239 2/9 and the ΕΑΡ response (30) between the user equipment (18) and a ΕΑΡ server (26) that performs an EAP authentication method for the EAP authenticator. [5] 5. Method for secondary authentication of user equipment (18), characterized by the fact that the method comprises: transmitting (300) an extensible authentication protocol, EAP, request (28) from an EAP server (26) to the user equipment (18) through a session management function, SMF, (14) in which SMF (14) serves as an EAP authenticator for secondary authentication of user equipment (18), where secondary authentication is authentication of user equipment (18) in addition to primary authentication of user equipment (18) and in that the EAP server (26) is configured to perform an EAP authentication method for the EAP authenticator; and responsive to the EAP request (28), receiving (310) on the EAP server (26) via SMF (14) an EAP response (30) from the user equipment (18). [6] 6. Method, according to claim 4 or 5, characterized by the fact that the user equipment (18) and the SMF (14) are configured for use in a wireless communication network, in which the EAP server is on a data network with which the user equipment (18) requests a user plan session, where the secondary authentication of the user equipment (18) is the authentication of the user equipment (18) to establish the user session. user plan, where secondary authentication is delegated by the wireless communication network to the data network. [7] 7. Method according to any of claims 4 to 6, characterized by the fact that the EAP request (28) and the EAP response (30) are transmitted between the SMF (14) and the EAP server via a user plan function selected by SMF (14). Petition 870190067273, of 16/07/2019, p. 232/239 3/9 [8] 8. Method, according to claim 7, characterized by the fact that the user plan function serves as a proxy for the EAP server. [9] 9. Method, according to claim 7, characterized by the fact that the user plan function serves as a router through which the EAP request (28) and the EAP response (30) are transmitted transparently to the user plan role. [10] 10. Method according to any one of claims 1 to 9, characterized by the fact that the EAP request (28) and the EAP response (30) are encapsulated within the respective non-access layer protocol messages ( NAS) between the SMF (14) and the UE. [11] 11. Method according to any one of claims 1 to 10, characterized by the fact that said transmission and reception are performed after the primary authentication of the user equipment (18) by a security anchor function in a core network. [12] 12. Method according to any one of claims 1 to 11, characterized in that a core network comprises multiple different network slices respectively dedicated to different services, in which the secondary authentication of the user equipment (18) comprises specific authentication slice of user equipment (18) to access a specific network slice of the core network. [13] 13. Method according to any one of claims 1 to 12, characterized by the fact that it further comprises, based on the successful secondary authentication of the user equipment (18), obtaining a security key shared between the user equipment ( 18) and the SMF (14). [14] 14. Method according to any one of claims 1 to 13, characterized in that a request to establish a session Petition 870190067273, of 16/07/2019, p. 233/239 w transmitted from the user equipment (18) triggers the secondary authentication of the user equipment (18). [15] 15. Method according to claim 14, characterized by the fact that the request to establish a session includes a secondary identity of the user equipment (18) used for secondary authentication. [16] 16. Method according to claim 14 or 15, characterized in that a session establishment response transmitted to the user equipment (18) includes an EAP success message indicating secondary authentication success or a failure message of EAP indicating secondary authentication failure. [17] 17. Method according to any one of claims 1 to 16, characterized by the fact that it further comprises connecting the secondary authentication of the user equipment (18) to a channel through which the secondary authentication is performed. [18] 18. Method according to any one of claims 1 to 17, characterized by the fact that it further comprises deriving, based on the successful secondary authentication of the user equipment (18), a security key shared between the user equipment ( 18) and SMF (14), wherein said derivation comprises deriving the security key as a function of connection information associated with a channel through which secondary authentication is performed. [19] 19. Method according to claim 18, characterized by the fact that said connection information comprises one or more of: information identifying a type of access network through which user equipment (18) accesses a wireless communication network; information identifying a type of a core network the Petition 870190067273, of 16/07/2019, p. 234/239 5/9 wireless communication; information identifying a core network slice to which the user equipment (18) requests access; and information identifying a type of core network slice to which the user equipment (18) is requesting access. [20] 20. Method according to any one of claims 1 to 19, characterized by the fact that the SMF (14) is included in a 5G network. [21] 21. User equipment (18) characterized by the fact that it is configured for: receive an extensible authentication protocol, EAP, request (28) from a session management function, SMF, (14) that serves as an EAP authenticator for secondary authentication of user equipment (18), in which authentication secondary is the authentication of the user equipment (18) in addition to the primary authentication of the user equipment (18); and responsive to the EAP request (28), transmit an EAP response (30) to the SMF (14). [22] 22. User equipment according to claim 21, characterized in that it is configured to carry out the method, as defined in any of claims 3 to 4 and 6 to 20. [23] 23. Network equipment configured to provide a session management function, SMF, (14), characterized by the fact that SMF (14) is configured to: transmit an extensible authentication protocol, EAP, request (28) from the SMF (14) to a user device (18), where the SMF (14) serves as an EAP authenticator for secondary authentication of the user device ( 18), where secondary authentication is user equipment authentication (18) in addition to primary equipment authentication Petition 870190067273, of 16/07/2019, p. 235/239 6/9 user (18); and responsive to the request of ΕΑΡ (28), to receive in the SMF (14) an EAP response (30) from the user equipment (18). [24] 24. Network equipment according to claim 23, characterized by the fact that the network equipment is distributed over multiple network nodes. [25] 25. Network equipment according to claim 23, characterized by the fact that the network equipment is centralized in a single network node. [26] 26. Network equipment according to any one of claims 23 to 25, characterized by the fact that the SMF (14) is configured to carry out the method, as defined in any one of claims 2 to 4 and 6 to 20. [27] 27. Extensible authentication protocol server, EAP, characterized by the fact that it is configured to: transmit an EAP request (28) from the EAP server to user equipment (18) via a session management function, SMF, (14) that serves as an EAP authenticator for secondary authentication of the user equipment (18), where secondary authentication is user equipment authentication (18) in addition to primary user equipment authentication (18) and where the EAP server is configured to perform an EAP authentication method for the user authenticator. AND AP; and responsive to the EAP request (28), receiving on the EAP server (26) through the SMF (14) an EAP response (30) from the user equipment (18). [28] 28. EAP server, according to claim 27, characterized by the fact that it is configured to perform the method, as defined in any Petition 870190067273, of 16/07/2019, p. 236/239 7/9 one of claims 6 to 20. [29] 29. Computer program characterized by the fact that it comprises instructions that, when executed by at least one processor, make the processor perform the method, as defined in any one of claims 1 to 20. [30] 30. Carrier containing the computer program, according to claim 29, characterized by the fact that the carrier is one of an electronic signal, optical signal, radio signal, or computer-readable storage medium. [31] 31. User equipment (18) characterized by the fact that it comprises: set of processing circuits (410) and memory (430), the memory (430) containing instructions executable by the set of processing circuits (410) whereby the user equipment (18) is configured to: receive an extensible authentication protocol, EAP, request (28) from a session management function (SMF) that serves as an EAP authenticator for secondary authentication of user equipment (18), where secondary authentication is authentication user equipment (18) in addition to the primary authentication of user equipment (18); and responsive to the EAP request (28), transmit an EAP response (30) from the user equipment (18) to the SMF (14). [32] 32. User equipment according to claim 31, characterized in that it is configured to carry out the method, as defined in any of claims 3 to 4 and 6 to 20. [33] 33. Network equipment (500) configured to provide a session management function, SMF, (14), characterized by the fact that the Petition 870190067273, of 16/07/2019, p. 237/239 8/9 control plane equipment (500) comprises set of processing circuits (510) and memory (530), memory (530) containing instructions executable by the set of processing circuits (510) in which the SMF (14) is configured for: transmit an extensible authentication protocol, EAP, request (28) from the SMF (14) to a user device (18), where the SMF (14) serves as an EAP authenticator for secondary authentication of the user device ( 18), in which the secondary authentication is authentication of the user equipment (18) in addition to the primary authentication of the user equipment (18); and responsive to the EAP request (28), to receive in the SMF (14) an EAP response (30) from the user equipment (18). [34] 34. Network equipment according to claim 33, characterized by the fact that the network equipment is distributed on multiple network nodes. [35] 35. Network equipment according to claim 33, characterized by the fact that the network equipment is centralized in a single network node. [36] 36. Network equipment according to any of claims 33 to 35, characterized by the fact that the SMF (14) is configured to carry out the method, as defined in any of claims 2 to 4 and 6 to 20. [37] 37. Extensible authentication protocol server, EAP, (26) characterized by the fact that it comprises: processing circuitry (610) and memory (630), memory (630) containing instructions executable by the processing circuitry (610) whereby the EAP server (26) is configured to: Petition 870190067273, of 16/07/2019, p. 238/239 9/9 transmit an EAP request (28) from the EAP server to user equipment (18) through a session management function, SMF, (14) that serves as an EAP authenticator for secondary authentication of the user equipment (18), where secondary authentication is user equipment authentication (18) in addition to user equipment primary authentication (18) and where the EAP server is configured to perform an EAP authentication method for the EAP authenticator; and responsive to the EAP request (28), receiving on the EAP server (26) through the SMF (14) an EAP response (30) from the user equipment (18). [38] 38. EAP server, according to claim 37, characterized by the fact that it is configured to carry out the method, as defined in any of claims 6 to 20.
类似技术:
公开号 | 公开日 | 专利标题 BR112019014670A2|2020-05-26|secondary authentication of user equipment KR102304147B1|2021-09-23|Unified authentication for integrated small cell and wi-fi networks JP2020129830A|2020-08-27|Network support type bootstrapping for machine-to-machine communication US10716002B2|2020-07-14|Method and system for authenticating access in mobile wireless network system US20130298209A1|2013-11-07|One round trip authentication using sngle sign-on systems US10129235B2|2018-11-13|Key hierarchy for network slicing US20210037026A1|2021-02-04|Protection of Traffic between Network Functions TW201720216A|2017-06-01|Methods and apparatus for wireless communication using a security model to support multiple connectivity and service contexts US20200403780A1|2020-12-24|Secure Communications Using Network Access Identity BR112012031924B1|2021-09-21|METHOD AND EQUIPMENT TO LINK SUBSCRIBER AUTHENTICATION AND DEVICE AUTHENTICATION IN COMMUNICATION SYSTEMS
同族专利:
公开号 | 公开日 CN110235423A|2019-09-13| RU2755258C2|2021-09-14| RU2019126798A3|2021-03-02| RU2019126798A|2021-03-02| JP2020506578A|2020-02-27| EP3501155A1|2019-06-26| JP6889263B2|2021-06-18| WO2018137873A1|2018-08-02| US20180317086A1|2018-11-01| US20190230510A1|2019-07-25|
引用文献:
公开号 | 申请日 | 公开日 | 申请人 | 专利标题 FI20000760A0|2000-03-31|2000-03-31|Nokia Corp|Authentication in a packet data network| AU2002334329B2|2002-10-01|2006-11-23|Nokia Technologies Oy|Method and system for providing access via a first network to a service of a second network| US7458095B2|2002-11-18|2008-11-25|Nokia Siemens Networks Oy|Faster authentication with parallel message processing| US7313690B2|2003-06-27|2007-12-25|Microsoft Corporation|Three way validation and authentication of boot files transmitted from server to client| US7593717B2|2003-09-12|2009-09-22|Alcatel-Lucent Usa Inc.|Authenticating access to a wireless local area network based on security value associated with a cellular system| CA2571255C|2005-12-23|2016-05-10|Bce Inc.|Wireless device authentication between different networks| CN101009910A|2006-01-25|2007-08-01|华为技术有限公司|Method and device for realizing the extended authentication protocol in the wireless network| DE102006038591B4|2006-08-17|2008-07-03|Siemens Ag|Method and device for providing a wireless mesh network| CN101163000B|2006-10-13|2011-03-02|中兴通讯股份有限公司|Secondary authentication method and system| US20080108322A1|2006-11-03|2008-05-08|Motorola, Inc.|Device and / or user authentication for network access| US8707416B2|2007-01-19|2014-04-22|Toshiba America Research, Inc.|Bootstrapping kerberos from EAP | EP1956791A1|2007-02-09|2008-08-13|Research In Motion Limited|Method and system for authenticating peer devices using EAP| US8341702B2|2007-11-01|2012-12-25|Bridgewater Systems Corp.|Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol| PL2258126T3|2008-04-02|2012-12-31|Nokia Solutions & Networks Oy|Security for a non-3gpp access to an evolved packet system| US8826376B2|2009-03-10|2014-09-02|Alcatel Lucent|Communication of session-specific information to user equipment from an access network| US8601569B2|2010-04-09|2013-12-03|International Business Machines Corporation|Secure access to a private network through a public wireless network| CN103067342B|2011-10-20|2018-01-19|中兴通讯股份有限公司|A kind of equipment, system and method that external authentication is carried out using EAP| EP2675203B1|2012-06-11|2019-11-27|BlackBerry Limited|Enabling multiple authentication applications| US9355231B2|2012-12-05|2016-05-31|Telesign Corporation|Frictionless multi-factor authentication system and method| KR20150139602A|2013-04-05|2015-12-11|인터디지탈 패튼 홀딩스, 인크|Securing peer-to-peer and group communications| US9332480B2|2014-03-28|2016-05-03|Qualcomm Incorporated|Decoupling service and network provider identification in wireless communications| US10219965B2|2014-05-26|2019-03-05|Bass Morris Pty Ltd|Spine treatment apparatus| CN104936232A|2015-07-08|2015-09-23|重庆邮电大学|User tag based shunt method and system in 5G network| US10172000B2|2016-03-17|2019-01-01|M2MD Technologies, Inc.|Method and system for managing security keys for user and M2M devices in a wireless communication network environment| EP3456090B1|2016-05-12|2021-03-31|Convida Wireless, Llc|Connecting to virtualized mobile core networks|US10624020B2|2017-02-06|2020-04-14|Qualcomm Incorporated|Non-access stratum transport for non-mobility management messages| JP2020510377A|2017-03-21|2020-04-02|ノキア テクノロジーズ オサケユイチア|Enhanced registration procedure in mobile systems supporting network slicing| CN109391942A|2017-08-07|2019-02-26|华为技术有限公司|Trigger the method and relevant device of network authentication| US10764935B2|2018-02-12|2020-09-01|Cisco Technology, Inc.|Methods and apparatus for selecting network slice, session management and user plane functions| US10986010B2|2018-08-09|2021-04-20|At&T Intellectual Property I, L.P.|Mobility network slice selection| EP3854025A1|2018-09-17|2021-07-28|Nokia Solutions and Networks Oy|Credentials management| US10750553B2|2018-09-25|2020-08-18|Cisco Technology, Inc.|Systems and methods for selection of collocated nodes in 5G network| CN109040322B|2018-10-08|2021-05-11|腾讯科技(深圳)有限公司|Vehicle communication method and device, computer readable medium and electronic equipment| CN111031571B|2018-10-09|2022-01-14|华为技术有限公司|Network slice access control method and device| US10834079B2|2018-11-28|2020-11-10|International Business Machines Corporation|Negotiative conversation chat bot| US20220070157A1|2019-01-21|2022-03-03|Telefonaktiebolaget Lm Ericsson |Network slice authentication| CN111654862B|2019-03-04|2021-12-03|华为技术有限公司|Registration method and device of terminal equipment| CN111818516A|2019-04-12|2020-10-23|华为技术有限公司|Authentication method, device and equipment| WO2020257986A1|2019-06-24|2020-12-30|Nokia Shanghai Bell Co., Ltd.|Dynamic allocation of network slice-specific credentials| WO2021026927A1|2019-08-15|2021-02-18|华为技术有限公司|Communication method and related devices| CN112449379A|2019-08-27|2021-03-05|中兴通讯股份有限公司|User plane migration method, device and storage medium| CN110996322B|2019-11-28|2021-07-30|楚天龙股份有限公司|Method for realizing secondary authentication of terminal| WO2021145870A1|2020-01-15|2021-07-22|Hewlett-Packard Development Company, L.P.|Authentication system| WO2021151888A1|2020-01-31|2021-08-05|Sony Group Corporation|User equipment, non-public network authentication-authorization-accounting server, authentication server function entity| CN113573298A|2020-04-10|2021-10-29|华为技术有限公司|Communication method and device| CN113784346A|2020-05-22|2021-12-10|华为技术有限公司|Authentication and authorization method and device| EP3929848A1|2020-06-22|2021-12-29|Laterpay AG|Laterpay 5g secondary authentication|
法律状态:
2021-10-19| B350| Update of information on the portal [chapter 15.35 patent gazette]|
优先权:
[返回顶部]
申请号 | 申请日 | 专利标题 US201762451645P| true| 2017-01-27|2017-01-27| PCT/EP2017/084383|WO2018137873A1|2017-01-27|2017-12-22|Secondary authentication of a user equipment| 相关专利
Sulfonates, polymers, resist compositions and patterning process
Washing machine
Washing machine
Device for fixture finishing and tension adjusting of membrane
Structure for Equipping Band in a Plane Cathode Ray Tube
Process for preparation of 7 alpha-carboxyl 9, 11-epoxy steroids and intermediates useful therein an
国家/地区
|